For
Darktrace researchers, the numbers are a warning to security teams. The vendor saw a 100-fold increase in the number of email bombing messages between April and July, jumping from 200,000 to more than 20 million across its email customer base. There was also a 1,317% month-over-month rise in phishing attacks targeting Black Friday, using the busy shopping day after Thanksgiving to target customers.
The figures show how bad actors are not using only email to run their social engineering attacks, but span across identity platforms, software-as-a-service (SaaS) tools, and collaboration apps, such as Microsoft’s Teams or Zoom, and focus on both inbound and outbound email.
The problem is that most security teams use different detection tools for the various domains, creating what
Benjamin Druttman, cybersecurity AI technical instructor for Darktrace, calls “blind spots where attackers can shelter undetected.”
“Adversaries will purposefully execute different stages of an attack across different domains, ensuring no single tool picks up too many traces of their malicious activity,” Druttman
wrote in a blog post. “Identifying and investigating this type of threat, known as a cross-domain attack, requires mastery in event correlation.”
An isolated scan detected on the network may initially appear harmless, but “only when it is stitched together with a rare O365 login, a new email rule and anomalous remote connections to an S3 bucket in AWS does it begin to manifest as an actual intrusion,” he wrote.
Enhancements to Darktrace Email
UK-based Darktrace’s AI-powered platform addresses security in a range of areas, from identity and email to the cloud, operational technology (OT), and the network. It also includes a number of cross-platform products, such as exposure and attack surface management and incident readiness, and recovery.
This month, the vendor introduced enhancements to its Darktrace Email solution, which uses a self-learning AI engine to understand users’ normal email behavior. Darktrace is more tightly integrating its email protection tool with Darktrace Identity to more quickly detect attempted account takeovers or impersonation threats against users and address potentially malicious tickets that are created from email.
This will help with campaigns like email bombing, when threat actors deluge a target’s inbox with massive numbers of emails, making it difficult for the victim to know what’s legitimate. The attackers then reach out through another channel, such as phone calls or Teams, posing as someone from a helpdesk.
Verified Brands
To help organizations address the rising numbers of phishing attacks seen on busy days like Black Friday, where hackers use impersonation scams and trusted channels to abuse brands and fool customers, its Email-DMARC solutions now have Brand Indicators for Message Identification (BIMI), which lets organizations display a verified brand logo directly in the email recipients’ inboxes to prove legitimacy.
This allows organizations to authenticate outbound messages and identify inbound emails that are part of impersonation scams.
“In general, the retail sector can find itself caught in tradeoffs where its attention is focused on making it as simple as possible to purchase an item while not making it as secure as possible,” said
James Maude, field CTO for
BeyondTrust. “No one wants to prompt a customer to pass an MFA [multi-factor authentication] challenge that could make them think twice about an impulse buy. Similarly, rewards points and loyalty schemes have become a regular target for attack as attackers launch credential stuffing campaigns fueled by other breaches to access and cash out rewards and points into untraceable gift cards or goods.”
Protecting Sensitive Information
In addition, a new behavioral data loss prevention (DLP) tool within Darktrace Email that learns how users tend to handle sensitive information and can identify when outbound email deviates from the pattern to protect against user errors like wrong addresses and unintended data sharing.
Further integrations now let Darktrace automatically create a
Jira and
ServiceNow ticket so a report can be captured, tracked, and properly routed. In addition, through new sandbox analysis integration, analysts can investigate payload behavior in isolated environments in the Darktrace UI.
Lessons for MSSPs
All of this is something that MSSPs need to think about, according to
Jason Soroko, Senior Fellow at
Sectigo. They are present in many organizations at the same time, so Darktrace’s research into email bombing and seasonal phishing “should be treated as an early warning that both their controls and operating models must evolve,” he told MSSP Alert. “A 100x jump in email bombing between April and July 2025, from 200,000 to more than 20 million messages, shows that attackers are using high-volume but seemingly benign traffic to blind users and legacy filters, then moving to channels such as Teams or phone to pose as IT and steal access.”
MSSPs can’t treat email as an isolated layer, because inbox floods are now the opening move in a cross-domain campaign, Soroko said. The 1,317% jump in Black Friday-themed phishing and the sharp rise in spoofs of major retail brands indicate how quickly attackers pivot to exploit customer trust and shopping habits, which directly impact MSSPs that protect ecommerce, retail, and financial clients.
Linking Email Telemetry, Other Information
MSSPs “should design detection and response that links email telemetry with identity, endpoint, cloud and collaboration data, so a sudden wave of benign looking messages automatically raises scrutiny on associated login attempts, password resets, and support interactions,” he said, adding that SOC playbooks, SIEM content, and extended detection and response (XDR) rules should be tuned to catch such patterns as bursts of newsletter signups, repeated account notifications, and out-of-character shopping related lures, all backed by user awareness training.
For retailers, they can offer and manage DMARC and brand verification, monitor for brand abuse and shopper-focused phishing, and turn those insights into seasonal readiness plans ahead of events like Black Friday.